Operational Resilience

Operational Resilience
Operational Resilience

Body

What is Operational Resilience?

Operational resilience is an organisation’s ability to detect, prevent, respond to, recover and learn from operational disruptions that may impact delivery of important business and economic functions or underlying business services. 

The key components of operational resilience - which include defining and understanding important business services and impact tolerance, as well as completing end-to-end mapping, scenario testing, and regular self-assessments - are essential guideposts on the road to resiliency.

Where are you on your resilience journey?

Supervisory authorities policy expectations must be addressed by March 2022.

View the summarised report

Why is it important?

Resilience is ingrained in our vocabulary, especially in today’s challenging business landscape. In its simplest form, resilience can be defined as the ability to recover from setbacks. Unlike risk, which has a probabilistic component and creates significant uncertainty, operational resilience must be contemplated as an inevitability.

Systems will fail, cyber-attacks will be successful, and pandemics will occur. Having a firm understanding of how to minimise the impact of a disruption to your external stakeholders and the broader economy, knowing where your organisation’s vulnerabilities lie, and developing your foundational elements  (e.g., cyber, business, third-party, and technology resilience) will help your organisation recover more quickly and minimise customer harm.

What is the connection between operational resilience and business continuity management? 

Business Continuity Management (BCM) is the design, development, implementation and maintenance of strategies, teams, plans and actions that provide protection over, or alternative modes of operation for, those activities or business processes which, if they were to be interrupted, might bring about seriously damaging or potentially significant loss to an enterprise.

All sectors and sizes of companies can benefit from a BCM programme. An operational resilience programme can enhance and extend traditional BCM practices and concepts by incorporating various approaches such as testing extreme-but-plausible scenarios, front-to-back process mapping and aligning all aspects of cyber, third-party and technology resilience, as illustrated in Protiviti’s Operational Resilience framework.

Interested in a quick explanation of the relationship between BCM and Operational Resilience? Check out Protivit’s video here.

What Should You Ask In Your Role?

Head of Resilience

With developments in technology and potential heightened risk for an extreme-but-plausible event, companies have implemented resilience roles to oversee operational processes and controls and understand the complexity of the organisation and economic environment. Owning an operational resilience programme within an organisation involves governance of the programme, technology change to enhance recovery, and the adoption of a cultural change to embed resilience in the minds of all employees.

Some key questions the Head of Resilience should ask are:

  • How resilient is my organisation?
  • Should my organisation be more resilient?
  • Is there a defined operational resilience framework and programme in place to deliver on each component?
  • Are there real-time lessons to be learned from tracking?
  • Where are the key resource vulnerabilities across my important business services (i.e., people, process, information, technology, facilities, and third parties)?
  • How do current and planned changes in our business model impact our current operational resilience programme?
  • Do we expect to have a clear view of our vulnerabilities, and funding and action plans to address them by Q1 2022?
  • Do we have an agile and rapid response to incidents?
  • Does the current technology stack enable me to provide a clear and concise view of our state of resilience to the Board and Senior Management Team?
  • Do we have the right level of stakeholder participation across the business?
Chief Information Security Officer

Quantifying downtime can come in many forms but, at its core, it is a function of the cost of being down against a function of time. A firm can accept loss from an operational disruption for a specific period of time, after which it is bound to go out of business. The severity of the cost impact will dictate how long the firm can absorb the disruption. Calculating the organisation’s initial level of resilience and reporting that information will allow the organisation to effectively assess the recovery of an important business service or process and determine the related potential downtime and cost assumptions.

Some key questions the CISO should ask are:

  • How resilient is my organisation?
  • Should my organisation be more resilient?
  • Do identified IBS have sufficient cyber focus/monitoring in place to provide appropriate threat deterrent?
  • Do we have cyber attendance at Op Res governance forums? (Including change boards)?
  • Do we operate a Lessons Learned database to allow for the allocation, tracking and resolution of Op Res identified actions?
  • Are our monitoring and response capabilities tied into broader enterprise-wide operational resilience efforts?
  • Have we integrated key considerations?
  • How do we validate that our outsourced IBS are appropriately secured (contracts, reporting, evidence)? How does our business model support our ability to respond and recover? Do we have flexible, dynamic and empowered resources to work across silos?
Chief Information Officer / Chief Technology Officer

As heads of technology for an organisation there will be incredible challenges with aligning technology strategy and spend with the needs of resilience. Regulated institutions should be able to demonstrate not only their ability to keep important business services running but also how they can keep data secure.

Some key questions the CIO/CTO should ask are:

  • How vulnerable are we to a cyberattack or an unpredictable catastrophic event?
  • What impact will that have on the organisation?
  • How can we create long-term competitive advantages through our focus on Operational Resilience?
  • What learnings can we apply from the pandemic to our approach to Operational Resilience?
  • As we identify key IT initiatives, are we considering the negative or positive impacts on the resilience of business services?
  • What does the technology landscape look like to support our future business state and how do we build resilience into its design?
  • Does the change advisory board/process consider resilience as a key attribute and how are these changes escalated/approved?
Chief Audit Executive

Incorporating a comprehensive resilience assurance approach into existing governance and foundational element audits will enable firms to develop a resiliency culture and position themselves to respond effectively to common operational disruptions as well as extreme-but-plausible events that could threaten the viability of their organisations, customers and financial markets. The bar in auditing resilience will align with the current third line work efforts, as resilience will be, if it is not already, a critical part of an ongoing audit plan. Self-assessment will advance the work efforts of the third line and provide regulators some comfort that the recoverability of the firm is acceptable.

Some key questions the CAE should ask are:

  • How does the organisation approach operational resilience and how engaged are the board and executives in the operational resilience programme and establishment of the resiliency strategy or objective?
  • Has our organisation clearly defined and articulated its important business services and impact tolerances?
  • Do we have a process of testing our ability to withstand and respond to extreme-but-plausible events?
  • Does our team have visibility into foundational elements of the organisation?
  • How do IA findings report into the Op Res governance structure?
  • Do we have a dynamic assurance process in place to respond to business needs?
Chief Risk Officer

The expectations for regulated institutions include ownership of their operational resilience, prioritising plans and investment choices based on their impacts on the public interest and communicating clearly to customers when disruptions occur. Regulated institutions should be prepared to address issues (e.g., large-scale and sustained power outages) that may extend their resilience beyond their impact tolerances.

Some key questions the CRO should ask are:

  • How is operational resilience governed effectively within the organisation?
  • Do we have dynamic risk assessments in place, supported by good information flows across the organisation, to identify emerging risks quickly?
  • Does the existing governance model allow for appropriate routes of risk escalation, and is enough focus being applied?
  • Has our risk profile changed as a result of the changing threat landscape (i.e., pandemic, multiple incidents)?
  • How has the control environment changed and what additional assurance needs to be provided?
Board of Directors

The culture of the firm, starting at the board level, has a significant impact on the resilience a firm. Culture will drive firms’ decision, actions by employees, and assure firms are conducting themselves to enhance resilience and decrease harm.

The tone must be set at the top of the organisation for resilience to become a part of business as usual. The ability to recover from an event so that consumers are not harmed, should drive key decisions around project selection, technology implementation and other key functions of the firm.

Some key questions the Board of Directors should ask are:

  • How resilient is our organisation?
  • How do we track changes in resilience within our organisation?
  • Do we receive the right level of information about the state of resiliency within our firm?
  • How is our operational programme organised, who is responsible for preparing for and responding to various resilience events, and to what extent are the line-of-business leaders engaged?
  • How prepared is the organisation for operational resilience? Has management given the topic sufficient attention to ensure organisational preparedness?
  • How does the organisation approach operational resilience, and how engaged are the board and senior executives in establishing the overall operational resilience objectives and strategy, and monitoring the execution of that strategy?
  • Has the organisation defined its important business services, as well as the impact tolerances for those services? Has it considered the extreme-but-plausible events that could result in an impact that exceeds established tolerances?
  • Has management demonstrated a clear understanding of the organisation’s dependencies on third-party vendors and the level of risk they introduce into the delivery of important business services?
  • How does our business model support our ability to respond and recover? Do we have flexible, dynamic and empowered resources to work across silos? Do we have a robust internal and external communication strategy in place for use during operational disruptions?
  • Has management allocated sufficient funding and attention to address identified vulnerabilities?

 

 

Global Financial Markets Alliance

Protiviti is a Premium Associate Member of SIFMA, AFME and ASIFMA.

Protiviti actively engages with the associations, committees and working groups, sharing insights and expertise on crucial industry developments, speaking at conferences an events, and contributing to advocacy efforts for effective and resilient capital markets. Our membership allows us to contribute our deep understanding of the continued evolving and competitive financial services industry landscape.

Access collaborated reports and podcasts:

 

Learn More